Process Executing Sans Command Line (RedCanary Threat Detection Report)
Detects processes running without command lines, which can indicate process injection. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Process Executing Sans Command Line (RedCanary Threat Detection Report)
2id: fbc13e37-c601-4935-aa4f-3eaaa9976003
3status: experimental
4description: |
5 Detects processes running without command lines, which can indicate process injection.
6 Part of the RedCanary 2023 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/process-injection/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12 - attack.privilege_escalation
13 - attack.t1055
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 Image|endswith:
20 - '\backgroundtaskhost.exe'
21 - '\svchost.exe'
22 - '\dllhost.exe'
23 - '\werfault.exe'
24 - '\searchprotocolhost.exe'
25 - '\wuauclt.exe'
26 - '\spoolsv.exe'
27 - '\rundll32.exe'
28 - '\regasm.exe'
29 - '\regsvcs.exe'
30 selection_cmd_1:
31 CommandLine|re: '^(backgroundtaskhost|svchost|dllhost|werfault|searchprotocolhost|wuauclt|spoolsv|rundll32|regasm|regsvcs)(\.exe){0,}(\s|")*$'
32 selection_cmd_2:
33 CommandLine:
34 - null
35 - ''
36 condition: selection_img and 1 of selection_cmd_*
37falsepositives:
38 - Unknown
39level: low```
References
-
Process Injection enables adversaries to execute potentially suspicious processes in the context of seemingly benign ones.
Read More
Related rules
- Powershell Injecting Into Anything (RedCanary Threat Detection Report)
- Suspicious Network Connections (RedCanary Threat Detection Report)
- PowerShell Injecting into Other Process
- Process Execution sans Command Lines
- Find Binary Searching for Executables with Setuid or Setguid Bit (RedCanary Threat Detection Report)